If we had our way, the more important something is, the more-simply it would be named. ‘Passwords’ are important, and easy to talk about. So are ‘keys’ and ‘padlocks’ and other physical security devices.
Multifactor authentication sadly doesn’t fall under the simply-named category, but it is very, very important. It’s the “Who goes there, friend or foe?” of online security.
Type in your username and password, and you are immediately logged in.
For many day-to-day activities, if you use a secure, unique password, a password manager and trust the website to handle their security properly, that username/password combination is perfectly fine. But for anything business-critical: email, banking, CRM, cloud storage etc. or for anything personally important: Facebook, your password manager, PayPal etc. it isn’t nearly secure enough.
As suggested, at the very least you should be using a password manager such as LastPass to make sure you can safely use complicated, different passwords for each website.
Multifactor or Two-Step Verification
Strictly speaking these are different things, but the terms tend to be used interchangeably.
An extra level of security is added after typing in your username and password. Most commonly, this is done using your mobile phone. This can be typing a code sent to your mobile, or generated through an app on your phone. Alternatively, some systems connect to an app on your phone and generate a pop-up message, allowing you to confirm the log-in is genuine.
Some web sites ask security questions, but if your password ever gets compromised then there is a chance this information will too. You may well have seen friends on social media asking you to reply to questions like “What is your ‘stage name’? Answer with your first pet’s name and your mother’s maiden name”. It sounds like harmless fun, but think about the danger of revealing that security information to the world, potentially forever.
Other less common options include a USB stick you plug into your computer, a keypad you insert your bank card into, or biometrics – e.g. fingerprint or eyeball scanners.
Security experts warn that text messages with such codes can be intercepted, and prefer generating codes or prompts on your phone. Bear in mind though, that at this point in time, this is unlikely, and all of these methods are safer than only using a password.
When to use multifactor authentication
You should certainly be using it on any critical accounts: your bank, Office365, GSuite, Dropbox or other cloud storage services, Lastpass, 1Password or any other password managers.
It would probably make sense to use it wherever you store payment details or other sensitive data too.
If you have a fairly anonymous Twitter account that you only use to follow the latest Great British Bake Off or Apprentice candidates then it’s probably not worth worrying about. But your corporate Twitter account? Turn it on.
With many cloud services, including all those named above, multifactor authentication for your account is built-in and free-of-charge. Our guides will help you get started setting it up.
We can help set-up and maintain multifactor authentication for your organisation’s cloud services and your own systems and servers. We also assist with the rollout to your staff, whether through our free guides or by providing support through small groups, drop-in sessions, floor-walking or whatever works best for you.
Here’s what one of our clients, Peter Killwick of Verita, said after doing just that:
“Our work often involves handling sensitive personal and corporate information, and maintaining its security is a top priority. After discussions with EJC we recognised that no matter how good our passwords were, they could only provide so much protection. We needed a more secure solution.”
“EJC recommended a multi-factor authentication solution from ESET which was quick to deploy and simple for our people to use. The consequences of a data breach would be major for us and our clients, especially following GDPR changes.”
Peter went on to say:
“It’s essential we do everything reasonably possible to secure our systems and we’re grateful to EJC for providing us with a clear, understandable and usable solution. There are no passwords on post-it notes in this office!”
(Verita is a specialist consultancy that works with regulated organisations in UK, including government departments, regulated private sector organisations, local authorities, police forces, charities, NHS trusts and clinical commissioning groups.)
If you’ve got any questions, or would like to talk about implementation, please click below to get in touch or give us a call on 0370 600 9700